📘 Documentation: Log Retention Policy (ILM)
Purpose: Automatically deletedemo-app-logs-* indices once they reach 15 days of age to manage disk space.
Log Source: Fluent Bit (sending daily dated indices).
1. The ILM Policy (demo_app_logs_retention_policy)
This policy defines the “rules” for the data. Since the logs are already rotated daily by Fluent Bit, we use a simple Delete-only phase.
- Hot Phase: Active; no actions (keeps logs searchable).
- Delete Phase: Triggers when the index age is > 15 days.
2. The Index Template (demo_app_logs_template)
This is the “glue” that ensures every new index created by Fluent Bit automatically follows the retention policy.
- Index Pattern:
demo-app-logs-* - Settings: Links the index to the policy name.
3. Application to Existing Indices
New policies only apply to indices created after the template is made. To manage existing “unmanaged” indices, the policy must be attached manually:🛠 Troubleshooting & Maintenance
How to check status
To see if the “Janitor” (ILM) is currently processing or deleting indices:Common States
| Step | Meaning |
|---|---|
hot | The index is younger than 15 days; it is safe and searchable. |
delete | The index has hit 15 days; it has entered the deletion queue. |
wait-for-shard-history-leases | The final safety check before the files are wiped from the disk. |
Key Takeaways for Future Ref
- No Rollover: Do not use
rolloverin the policy if your logs already have dates in their names (e.g.,logs-2026.03.05). Using both causes alias errors. - No Aliases: In this simplified setup, aliases are not required, making the system much harder to break.
- 10-Minute Poll: ILM checks for deletions every 10 minutes by default. Changes are not always instant.